Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CrowdStrike connector's message size incompatible with RabbitMQ 4.0 #3528

Closed
initstring opened this issue Mar 1, 2025 · 6 comments
Closed

CrowdStrike connector's message size incompatible with RabbitMQ 4.0 #3528

initstring opened this issue Mar 1, 2025 · 6 comments
Assignees
@Megafredo
Labels
bug use for describing something not working as expected solved use to identify issue that has been solved (must be linked to the solving PR)
Milestone
Release 6.5.5

Comments

@initstring
Copy link
Contributor

initstring commented Mar 1, 2025
edited
Loading

Description

RabbitMQ 4.0 introduced a new default to limit message sized to 16MB. This ends up breaking the CrowdStrike connector, causing it to fail during run with messages like this:

{"timestamp": "2025-03-01T00:23:41.164115Z", "level": "ERROR", "name": "Crowdstrike", "message": "CrowdStrike connector internal error: (406, 'PRECONDITION_FAILED - message size 47984031 is larger than configured max size 16777216')"

(snipped rest of error)

RabbitMQ 4.0 is the official version listed in the OpenCTI docker-compose file here, so it is likely others will run into this.

This can actually be solved easily by passing the following env var to the RabbitMQ container, and then the data ingestion will proceed without issue.

RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS=-rabbit max_message_size 100000000

I'm happy to open a PR somewhere but am not sure where it should go - possibly in the CrowdStrike connector docs, as not all users may want to change this value?

Environment

  1. OS (where OpenCTI server runs): { e.g. Mac OS 10, Windows 10, Ubuntu 16.4, etc. }: Kubernetes
  2. OpenCTI version: { e.g. OpenCTI 1.0.2 }: 6.5.3
  3. OpenCTI client: { e.g. frontend or python }: N/A
  4. Other environment details: CrowdStrike connector v6.5.3, RabbitMQ 4.0-management

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Install current recommended versions of OpenCTI and CrowdStrike connector
  2. Try to sync CrowdStrike including default recommended report types
  3. View logs, observe failue

Expected Output

Expect connector to complete without failure.

Actual Output

Additional information

Screenshots (optional)
@initstring initstring added bug use for describing something not working as expected needs triage use to identify issue needing triage from Filigran Product team labels Mar 1, 2025
@initstring initstring mentioned this issue Mar 2, 2025
Closed
4 tasks
@initstring
Copy link
Contributor Author

Created documentation PR here: #3537

@dominictory
Copy link

Hi, I added RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS="-rabbit max_message_size 100000000" to my docker-compose as I want to fix the issue, however my stack now won't start as it says the RabbitMQ container is unhealthy:

rabbitmq:
    image: rabbitmq:${RMQ_VERSION}
    environment:
      - RABBITMQ_DEFAULT_USER=${RABBITMQ_DEFAULT_USER}
      - RABBITMQ_DEFAULT_PASS=${RABBITMQ_DEFAULT_PASS}
      - RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS="-rabbit max_message_size 100000000"
    volumes:
      - amqpdata:/var/lib/rabbitmq
    ports:
      - "15672:15672"
    restart: always
    healthcheck:
      test: rabbitmq-diagnostics -q ping
      interval: 30s
      timeout: 30s
      retries: 3

@initstring
Copy link
Contributor Author

initstring commented Mar 3, 2025
edited
Loading

Hi @dominictory - interesting, thanks for sharing. I can confirm it is working fine for me with no restarts. Do you see any relevant errors in the logs for the rabbitmq container?

I'm using Kubernetes and not a docker-compose file... could you try removing the quotes to see if the syntax is slightly different?

rabbitmq:
    image: rabbitmq:${RMQ_VERSION}
    environment:
      - RABBITMQ_DEFAULT_USER=${RABBITMQ_DEFAULT_USER}
      - RABBITMQ_DEFAULT_PASS=${RABBITMQ_DEFAULT_PASS}
      - RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS=-rabbit max_message_size 100000000
    volumes:
      - amqpdata:/var/lib/rabbitmq
    ports:
      - "15672:15672"
    restart: always
    healthcheck:
      test: rabbitmq-diagnostics -q ping
      interval: 30s
      timeout: 30s
      retries: 3

@initstring
Copy link
Contributor Author

I've been able to reproduce @dominictory's issue in Docker. Removing the quotes fixes the problem.

Apologies for the confusion.

Fixed in PR here: afb83ff

@helene-nguyen helene-nguyen added this to the PRs backlog milestone Mar 4, 2025
@Megafredo
Copy link
Member

Hello @initstring and @dominictory, not long ago we responded to a user here who had the same problem : #3251 (comment)

We're going to fix the problem directly in our docker (at source) via this PR (https://github.com/OpenCTI-Platform/docker/pull/366/files) to prevent it from happening again for future users, but we've chosen to use the maximum size allowed by RabbitMQ.

See the documentation:
https://www.rabbitmq.com/docs/configure#config-items
Image

In any case, thank you very much for your help and your suggestion in the README ! We really appreciate it !

@initstring
Copy link
Contributor Author

That's a much better solution, thanks @Megafredo! I'll close the docs PR with a link to this.

@Megafredo Megafredo added solved use to identify issue that has been solved (must be linked to the solving PR) and removed needs triage use to identify issue needing triage from Filigran Product team labels Mar 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Megafredo Megafredo

Labels
bug use for describing something not working as expected solved use to identify issue that has been solved (must be linked to the solving PR)
Projects
None yet
Milestone
Release 6.5.5
Development

No branches or pull requests
5 participants
@SamuelHassine @Megafredo @initstring @helene-nguyen @dominictory